From a739c21fa91ca02d65f3414e09c06c220a8dd5fa Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 5 May 2022 16:12:14 +0200
Subject: surtr: ...

---
 hosts/surtr/email/default.nix | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

(limited to 'hosts/surtr')

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 165e0eb2..0c625325 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -47,10 +47,10 @@ with lib;
         smtp_dns_support_level = "dnssec";
 
         tls_server_sni_maps = ''texthash:${pkgs.writeText "sni" ''
-          bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem
-          mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.sni.pem
-          mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.sni.pem
-          .bouncy.email /run/credentials/postfix.service/bouncy.email.sni.pem
+          bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
+          mailin.bouncy.email /run/credentials/postfix.service/mailin.bouncy.email.full.pem
+          mailsub.bouncy.email /run/credentials/postfix.service/mailsub.bouncy.email.full.pem
+          .bouncy.email /run/credentials/postfix.service/bouncy.email.full.pem
         ''}'';
 
         local_recipient_maps = "";
@@ -166,20 +166,12 @@ with lib;
     };
 
     systemd.services.postfix = {
-      preStart = concatMapStringsSep "\n" (domain: ''
-        (
-          umask 0037
-          cat /var/lib/acme/${domain}/key.pem /var/lib/acme/${domain}/full.pem > /var/lib/acme/${domain}/sni.pem
-          chown acme:acme /var/lib/acme/${domain}/sni.pem
-        )
-      '') ["bouncy.email" "mailin.bouncy.email" "mailsub.bouncy.email" "surtr.yggdrasil.li"];
-      
       serviceConfig.LoadCredential = [
         "surtr.yggdrasil.li.key.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/key.pem"
         "surtr.yggdrasil.li.pem:${config.security.acme.certs."surtr.yggdrasil.li".directory}/fullchain.pem"
-        "bouncy.email.sni.pem:${config.security.acme.certs."bouncy.email".directory}/sni.pem"
-        "mailin.bouncy.email.sni.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/sni.pem"
-        "mailsub.bouncy.email.sni.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/sni.pem"
+        "bouncy.email.sni.pem:${config.security.acme.certs."bouncy.email".directory}/full.pem"
+        "mailin.bouncy.email.sni.pem:${config.security.acme.certs."mailin.bouncy.email".directory}/full.pem"
+        "mailsub.bouncy.email.sni.pem:${config.security.acme.certs."mailsub.bouncy.email".directory}/full.pem"
       ];
     };
   };
-- 
cgit v1.2.3